In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Wednesday, May 26, 2010

Inside a Commercial Chinese DIY DDoS Tool

One of the most commonly used tactics by shady online enterprises wanting to position themselves as legitimate ones (Shark2 - RAT or Malware?), is to promote malicious software or Denial of Service attack tooks, as remote access control tools/stress testing tools.

Chinese "vendors" of such releases are particularly interesting, since their front pages always position the tool as a 100% legitimate one, whereas going through the documentation, and actually testing its features reveals its true malicious nature. Moreover, once the vendor starts trusting you -- like the one whose DDoS tool is profiled in this post -- you're given access to the private section of their forum, where they are directly pitching you with DDoS for hire propositions, starting from $100 for 24 hours of non-stop flood.

Interestingly, the "vendor" is offering value-added services in the form of managed command and control server changes, the typical managed binary obfuscation, as well as custom features, removal of features in an attempt to decrease the size of the binary, but most importantly, they use differentiated pricing methods for their tool. Educational institutions, small businesses and home office clients can get special prices.

Why would the vendor include anti sandboxing capabilities in the latest version of the tool?

Why would the vendor also include P2P spreading and USB spreading modules?

An excerpt from the banking experiment:
"MS-recorder to wear all the safety test shows the major B2C online banking security controls. Received after the first test colt extracting file, which has ma.exe procedures. As the tests are over. Please turn off antivirus software and security software testing. . .

Wear all safety major B2C online banking security controls currently supports more than can be intercepted more than 160 online online payment platform And major online banking. After running ma.exe can log on to the respective online banking program Alipay paypal or procedures to test, test and test interception of information stored in the pony

The same directory, Test will generate Jlz-1, Jlz-2, Jlz-3 ... folder, such files in the folder will be 1.bmp, 2.bmp, 3.bmp ... picture, or there txt Notepad, view the. txt and picture, get the interception of data and information. Test window will prompt pony run, test interception of information larger, there is no written function. To solve the above problem, please purchase the official version, run silent, run automatically delete itself, no process at startup, had all killed, the interception of information

Expected small size, with letters function. VIP version of the generator purchase one year of free updates, free to kill three months to buy the colt package. Set the FTP transmission method to send the interception of STMP FTP. Perfect information theft can steal all the passwords and related information, such as: QQ, ICQ, Yahoo Messenger, Vicq, OutLook, FlashFXP, PayPal, E-mail and paypal (no security control), Legend, mercenary legend, Journey to the West, etc. (include account number, area and other relevant information), of course, the same information on the page steal, such as: mail, forums, close protection, and other (including user name, password and other related information), or even playing in the diagram, Password chip can, because it can record the keyboard and mouse actions. It is worth mentioning that, no matter what way you enter the password (such as Paste from somewhere, then paste the part of the input part, the number before the 0, deliberately enter the wrong password first and then delete the wrong part, etc.) Adopted the "filters" which makes stealing the contents do not appear out of "junk" in precise steal ... The correct password."

Clearly, these folks are not just inspired to continue introducing new features within the tool, but are starting to realize the potential of the crimeware market, with the vendor itself representing a good example on how once it was allowed to continue operations, it's naturally evolving in the worst possible direction. The author of ZeuS, however, shouldn't feel endangered in any way.

Screenshots of the DIY DDoS Platform, including the multiple versions offers, VIP, sample custom made etc.: